Need some inputs on RBAC governance.
Scenario::
There is a role in QA READ_ROLE_QA and that has access to 2 schemas ie.,
schema_etl & schema_load
Now under schema_etl if any objects are getting created i.e., tables & view then by default who ever has access to the role "READ_ROLE_QA" is able to see those objects.
But if any object gets created under schema "schema_load" then all users who has access to the role "READ_ROLE_QA" is not able to even see those objects.
What inputs needed ::
How to ensure what access needs to be given to the role "READ_ROLE_QA" so that any object which gets created under schema "schema_load", by default are visible to the users having role "READ_ROLE_QA".
Currently "USAGE" privileges are there to the role "READ_ROLE_QA" for the schema "schema_load".
Appreciate any help inputs on this request.
Please check out FUTURE GRANTS in Snowflake: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#future-grants-on-database-or-schema-objects
The following statement gives the role READ_ROLE_QA access to all future created tables in your schema schema_load. (Other privileges like USAGE given.)
grant select on future tables in schema <database>.schema_load to role READ_ROLE_QA;
Related
I need to get all the roles and their access to each database objects whether is it Read access or Write access
In Snowflake, I tried as below
show roles
select * from table(RESULT_SCAN (LAST_QUERY_ID()));
I'd like to show ALL grants for ALL roles in one table. My best guess would be to write a procedure that iterates through all the role names, executes the above code, and outputs the result to a table.
Is there a better way of doing this?
I also checked this view GRANTS_TO_ROLES , but not sure if this gives me all the roles for all the database
I am switching my Snowflake roles in my account console but, in my worksheet context, the role doesn't automatically reflect. Do I need to change this in both the places all the time?
Let's say you switch your role from A to B in the upper right corner and you want to execute the query with role B. In this case you also have to switch the role in the worksheet to B.
The role on your worksheet-level "overwrites" the role in your upper right corner.
You can change the role on the worksheet-level by using the GUI or executing USE ROLE xy;.
The role mentioned under your username on the top right-hand corner is for the option available to the left of the same console. This is totally independent of the role selected in each worksheet.
for example, For accountadmin role - you would able to see an additional option like Account, which will not be able with PUBLIC role. You can try to switch between the roles.
The role selected in the worksheet defines your access privileges on the database objects. The SQL statements executed are evaluated with the worksheet role.
You can user properties such as Default_role, Default_warehosue & default_namespace(db &schema). Details here
This will help to get your user context set with the defaults on every new worksheet created.
I need to check the roles and grants given to users, but from the metadata tables.
Basically, I need the metadata table, where I can query this, using multiple roles, eg. XXX, YYY,ZZZ. I need this to get the hierarchy of the roles that might have been granted.
I can do show grants OF role XXX - This'll give me all the users/ roles to which this role is granted, but I have to do for one role at a time.
If I do
SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
WHERE ROLE='XXX'
AND DELETED_ON IS null;
It gives me only the users who have been granted this role, not the roles itself.
If I check on GRANTS_TO_ROLES table - it gives me the actual privileges given for that role, but not the other roles to which the particular role is granted to.
What you can do is use the SHOW syntax rather than select:
show roles in account;
will give you the full list of roles (still coming from metadata). Not sure what exactly you want to do with them further, but in case you'd actually want to proceed the results as a query you can follow it by
select * from table(result_scan(last_query_id()));
and use to join with other tables or just to copy into some sort of temporary table and join further from there
You mentioned the hierarchy - I suspect you want to see which roles are granted to other roles..
Try this:
show grants of role Your_Role
In the table returned you will see that some roles are assigned to other roles and to users..i.e. column granted_to
I am trying to get all the roles a user is part of. In my case, the user is part of an admin role which inherits another role ingestor, this inherits another role analyst. If I query from snowflake like as follows:
show grants to user <userid>
This lists only the admin role but not other two roles (ingestor, analyst). If the same user logs into snowflake, he could see all three roles available for him in the role dropdown.
Need help to get all explicit roles irrespective of role inheritance.
As a start, the views "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_USERS" and "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_ROLES" in combination have the information you need,
but are only accessible to ACCOUNTADMIN
You also have:
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."ENABLED_ROLES";
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."APPLICABLE_ROLES";
The latter looks like a good place to start.
Edit primo 2023:
If you want to make your own near-instant expanded GRANTS_TO_ROLES, you can follow these lines:
Get roles with SHOW ROLES; RESULT_SCAN()
Iterate over roles above with SHOW GRANTS TO ROLE <role>; RESULT_SCAN()
Iterate over ALL_USER_NAMES() with SHOW GRANTS TO USER <user>; RESULT_SCAN()
Finally create a SELECT statement with a recursive Common Table Expression expanding the nested roles
i found the best way to find all roles with inherited roles.
just run below SQL.
SELECT CURRENT_AVAILABLE_ROLES()
is it possible to grant premission's for a role to only select,insert in a database schema or do i have to do it for every table individualy
CREATE ROLE role1
GO
GRANT INSERT,SELECT ON [database1].[schema1] TO role1
GO
P.s can i create a role without assigning nobody to that role , because as i read in
https://msdn.microsoft.com/en-us/library/ms187940.aspx
it say's that when u create a role and don't assign nobody the user with which u have created the role will be assigned to it.
The short answer is yes. Create a role with the required DML permissions to a schema, like you've scripted above. Then you will need to assign users to the new role if you want to give them this access. Like this:
ALTER ROLE [role1] ADD MEMBER [user1]
GO
I think you might be getting this confused with ownership chaining. I don't think you want to do this.